GE Healthcare Ultrasound products (Update A)

Plan Patch8.4ICS-CERT ICSMA-20-049-02Feb 18, 2020

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

GE Healthcare ultrasound devices contain vulnerabilities in operating system access controls (CWE-693, CWE-286) that allow attackers with physical access to bypass authentication and gain unrestricted access to the device's operating system. Affected products include Vivid, LOGIQ, Voluson, Versana Essential, Invenia ABUS, and Venue ultrasound systems in all versions. No firmware patches are available from the vendor. Exploitation requires direct physical access and is not remotely exploitable.

What this means

What could happen

An attacker with physical access to an affected ultrasound device could bypass authentication controls and gain access to the device's operating system, potentially allowing them to view, modify, or delete patient data or disrupt clinical operations.

Who's at risk

Healthcare organizations operating GE Healthcare ultrasound systems, including hospitals and imaging centers. Specifically affected equipment includes Vivid ultrasound systems, LOGIQ diagnostic ultrasound devices, Voluson obstetric/gynecologic ultrasound systems, Versana Essential, Invenia automated breast ultrasound scan stations, and Venue ultrasound platforms—essentially all versions of these products except specified exclusions.

How it could be exploited

An attacker must have direct physical access to the device. They can bypass authentication mechanisms to access the operating system without entering valid credentials, then use operating system access to interact with the ultrasound application and underlying data.

Prerequisites

Direct physical access to the device
No valid credentials required
Device must not have system lock password enabled

No authentication required for physical attackerLow complexity attackNo patch availableAffects medical devices with patient data accessAll versions affected

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (6)

6 EOL

ProductAffected VersionsFix Status

Vivid products, not including EchoPAC: vers:all/*All versionsNo fix (EOL)

LOGIQ, not including LOGIQ 100 Pro: vers:all/*All versionsNo fix (EOL)

Versana Essential: vers:all/*All versionsNo fix (EOL)

Invenia ABUS Scan station, not including VScan product line: vers:all/*All versionsNo fix (EOL)

Venue, not including Venue 40 R1-3 and Venue 50 R4-5: vers:all/*All versionsNo fix (EOL)

Voluson, not including ImageVault: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGEnable 'system lock' password in the Administration GUI menu (if available on your device model)

HARDENINGRestrict physical access to ultrasound devices by implementing locked rooms, access control systems, or continuous supervision

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement staff security awareness training focused on recognizing and reporting unauthorized persons attempting to access or tamper with medical devices

HARDENINGProvide social engineering awareness training to hospital staff to prevent attackers from gaining confidence or access through deception

CVEs (2)

CVE-2020-6977 CVE-2024-1486

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/98a74bb0-31e4-4fd8-84c8-81d23e7ac231